P
US8817974B2ActiveUtilityPatentIndex 55

Finite field cryptographic arithmetic resistant to fault attacks

Assignee: SCHAFFER MARTINPriority: May 11, 2011Filed: May 11, 2011Granted: Aug 26, 2014
Est. expiryMay 11, 2031(~4.8 yrs left)· nominal 20-yr term from priority
Inventors:SCHAFFER MARTINMURRAY BRUCE
G06F 2207/7271G06F 7/724
55
PatentIndex Score
2
Cited by
37
References
10
Claims

Abstract

Various embodiments relate to a method for integrity protected calculation of a cryptographic function including: performing an operation c=a∘b in a cryptographic function f(x 1 , x 2 , . . . , x n ) defined over a commutative ring R; choosing a′ and b′ corresponding to a and b such that a′ and b′ are elements of a commutative ring R′; computing c′=a′∘′b′; computing a″=CRT(a, a′) and b″=CRT(b, b′), where CRT is the Chinese Remainder Theorem; computing c″=a″∘″b″; mapping c″ into R′; and determining if the mapping of c″ into R′ equals c′.

Claims

exact text as granted — not AI-modified
We claim: 
     
       1. A method for integrity protected calculation of a cryptographic function on a cryptographic processor comprising:
 performing on a cryptographic processor an operation c=a∘b in a cryptographic function f p,q (x 1 , x 2 , . . . , x n ) defined over a commutative ring R, wherein a and b are any one of x 1 , x 2 , . . . , x n  and p and q are prime such that  p p≡1 (MOD q) and  q q≡1 (MOD p); 
 choosing a′ and b′ corresponding to a and b such that a′ and b′ are elements of a commutative ring R′, with a modulus m that is coprime with p·q, wherein a′ and b′ are a cyclic redundancy check of a and b; 
 computing c′=a′∘b′; 
 computing a″=CRT p,q (a, a′) and b″=CRT p,q (b, b′), where CRT is a Chinese Remainder Theorem defined as CRT p,q (a,b)=(a  p  p+b  q  q) MOD pq; 
 computing c″=a″∘″b″; 
 calculating a mapping of c″ into R′=c″ mod m; and 
 determining if the mapping of c″ into R′ equals c′, and then indicating that no fault is detected, 
 wherein if the mapping of c″ into R′ equals c′ then repeating the above steps to further calculate the cryptographic function f p,q (x 1 , x 2 , . . . , x n ) for other values of a and b, otherwise indicate that the calculation of the cryptographic function f p,q (x 1 , x 2 , . . . , x n ) is invalid. 
 
     
     
       2. The method of  claim 1 , wherein the cryptographic function is based upon a factoring problem. 
     
     
       3. The method of  claim 1 , wherein the cryptographic function is based upon a discrete logarithm problem. 
     
     
       4. The method of  claim 1 , wherein choosing a′ and b′ includes setting a′=α′ and b′=α′, where α′ is a constant in R′ and further comprising:
 computing α″=CRT(0, α′), wherein computing c″ includes computing c″=a″∘″b″−″{tilde over (α)} where {tilde over (α)}=α″ if ∘″=+″ and {tilde over (α)}=α″(α″−1) if ∘″=·″. 
 
     
     
       5. The method of  claim 4 , wherein if the mapping of c″ into R′ equals α′ then repeating the method of  claim 1  to further calculate the cryptographic function f p,q (x 1 , x 2 , . . . , x n ) for other values of a and b, otherwise indicate that the calculation of the cryptographic function f p,q (x 1 , x 2 , . . . , x n ) is invalid. 
     
     
       6. A non-transitory storage medium encoded with instructions for performing an integrity protected calculation of a cryptographic function comprising:
 instructions for performing on a cryptographic processor an operation c=a∘b in a cryptographic function f p,q (x 1 , x 2 , . . . , x n ) defined over a commutative ring R, wherein a and b are any one of x 1 , x 2 , . . . , x n  and p and q are prime such that  p p≡1 (MOD q) and  q q≡1 (MOD p); 
 instructions for choosing a′ and b′ corresponding to a and b such that a′ and b′ are elements of a commutative ring R′, with a modulus m that is coprime with p·q, wherein a′ and b′ are a cyclic redundancy check of a and b; 
 instructions for computing c′=a′∘′b; 
 instructions for computing a″=CRT p,q (a, a′) and b″=CRT p,q (b, b′), where CRT is a Chinese Remainder Theorem defined as CRT p,q (a,b)=(a  p  p+b  q  q) MOD pq; 
 instructions for computing c″=a″∘″b″; 
 instructions for calculating a mapping of c″ into R′=c″ mod m; and 
 instructions for determining if the mapping of c″ into R′ equals c′, and then indicating that no fault is detected, 
 wherein if the mapping of c″ into R′ equals c′ then repeating the above instructions to further calculate the cryptographic function f p,q (x 1 , x 2 , . . . , x n ) for other values of a and b, otherwise indicate that the calculation of the cryptographic function f p,q (x 1 , x 2 , . . . , x n ) is invalid. 
 
     
     
       7. The non-transitory storage medium of  claim 6 , wherein the cryptographic function is based upon a factoring problem. 
     
     
       8. The non-transitory storage medium of  claim 6 , wherein the cryptographic function is based upon a discrete logarithm problem. 
     
     
       9. The non-transitory storage medium of  claim 6 , wherein choosing a′ and b′ includes setting a′=α′ and b′=α′, where α′ is a constant in R′ and further comprising:
 instructions for computing α″=CRT(0, α′), wherein instructions for computing c″ includes computing c″=a″∘″b″−″{tilde over (α)} where {tilde over (α)}=α″ if ∘″=+″ and {tilde over (α)}=α″(α″−1) if ∘″=·″. 
 
     
     
       10. The non-transitory storage medium of  claim 9 , wherein if the mapping of c″ into R′ equals α′ then repeating the method of  claim 1  to further calculate the cryptographic function f p,q (x 1 , x 2 , . . . , x n ) for other values of a and b, otherwise indicate that the calculation of the cryptographic function f p,q (x 1 , x 2 , . . . , x n ) is invalid.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.